On Fri, Sep 14, 2012 at 7:51 PM, Damien Fleuriot <[email protected]> wrote: > > On 13 Sep 2012, at 23:26, Olivier Cochard-Labbé <[email protected]> wrote: > >> Hi, >> here is a little patch (tested on FreeBSD 9.1-RC1) that add a new >> option to the kernel configuration file: >> options PF_DEFAULT_TO_DROP >> >> Without this option, with an empty pf.conf: All traffic are permit. >> With this option enabled, with an empty pf.conf: All traffic are >> dropped by default. >> >> If the attached file is removed, you can found the patch here: >> http://www.freebsd.org/cgi/query-pr.cgi?pr=171622 >> >> Regards, >> >> Olivier >> <freebsd.pf_drop.patch> > > > Is there any point to this ? > > I mean, PF has to be enabled manually anyway, so it's not like it adds any > kind of default security. > Worse, it could lock careless people out. > > > People able to use this (read: who can rebuild a kernel) likely are > intelligent enough to cobble up a default block rule for their > pf.conf._______________________________________________
If you must do this then please consider adding a /boot/loader.conf setting instead of kernel configuration option. The option could be read only on running system or dependent on securelevel(7). -Kimmo _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
